xref: /freebsd/share/man/man4/gif.4 (revision 12900fe3177e3fdaf6e97548b620c7321251e60f)

.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     $Id: gif.4,v 1.2 1999/09/29 15:36:17 itojun Exp $
.\"     $FreeBSD$
.\"
.Dd April 10, 1999
.Dt GIF 4
.Os
.Sh NAME
.Nm gif
.Nd
.Tn Generic tunnel interface
.Sh SYNOPSIS
.Cd "pseudo-device gif 4"
.Sh DESCRIPTION
The
.Nm
interface is a generic tunnelling pseudo device for IPv4 and IPv6.
It can tunnel IPv[46] traffic over IPv[46].
Therefore, there can be four possible configurations.
The behavior of
.Nm
is mainly based on RFC1933 IPv6-over-IPv4 configured tunnel.
.Pp
To use
.Nm gif ,
administrator needs to configure protocol and addresses used for the outer
header.
This can be done by using
.Xr gifconfig 8 ,
or
.Dv SIOCSIFPHYADDR
ioctl.
Also, administrator needs to configure protocol and addresses used for the
inner header, by using
.Xr ifconfig 8 .
Note that IPv6 link-local address
.Pq those start with Li fe80::
will be automatically configured whenever possible.
You may need to remove IPv6 link-local address manually using
.Xr ifconfig 8 ,
when you would like to disable the use of IPv6 as inner header
.Pq like when you need pure IPv4-over-IPv6 tunnel .
Finally, use routing table to route the packets toward
.Nm
interface.
.Pp
.Nm
interface can be configued to perform bidirectional tunnel, or
multi-destination tunnel.
This is controlled by
.Dv IFF_LINK0
interface flag.
Also,
.Nm
can be configured to be ECN friendly.
This can be configured by
.Dv IFF_LINK1 .
.\"
.Ss Bidirectional and multi-destination mode
Usually,
.Nm
implements bidirectional tunnel.
.Xr gifconfig 8
should configure a tunnel ingress point
.Pq this node
and an egress point
.Pq tunnel endpoint ,
and
one
.Nm
interface will tunnel to only a single tunnel endpoint,
and accept from only a single tunnel endpoint.
Source and destination address for outer IP header is always the
ingress and the egress point configued by
.Xr gifconfig 8 .
.Pp
With
.Dv IFF_LINK0
interface flag,
.Nm
can be configured to implement multi-destination tunnel.
With
.Dv IFF_LINK0 ,
it is able to configure egress point to IPv4 wildcard address
.Pq Nm 0.0.0.0
or IPv6 unspecified address
.Pq Nm 0::0 .
In this case, destination address for the outer IP header is
determined based on the routing table setup.
Therefore, one
.Nm
interface can tunnel to multiple destinations.
Also,
.Nm
will accept tunneled traffic from any outer source address.
.Pp
When finding a
.Nm gif
interface from the inbound tunneled traffic,
bidirectional mode interface is preferred than multi-destination mode interface.
For example, if you have the following three
.Nm
interfaces on node A, tunneled traffic from C to A will match the second
.Nm
interface, not the third one.
.Bl -bullet -compact -offset indent
.It
bidirectional, A to B
.It
bidirectional, A to C
.It
multi-destination, A to any
.El
.Pp
Please note that multi-destination mode is far less secure
than bidirectional mode.
Multi-destination mode
.Nm
can accept tunneled packet from anybody,
and can be attacked from a malicious node.
.Pp
.Ss ECN friendly behavior
.Nm
can be configured to be ECN friendly, as described in
.Dv draft-ipsec-ecn-00.txt .
This is turned off by default, and can be turned on by
.Dv IFF_LINK1
interface flag.
.Pp
Without
.Dv IFF_LINK1 ,
.Nm
will show a normal behavior, like described in RFC1933.
This can be summarized as follows:
.Bl -tag -width "Ingress" -offset indent
.It Ingress
Set outer TOS bit to
.Dv 0 .
.It Egress
Drop outer TOS bit.
.El
.Pp
With
.Dv IFF_LINK1 ,
.Nm
will copy ECN bits
.Po
.Dv 0x02
and
.Dv 0x01
on IPv4 TOS byte or IPv6 traffic class byte
.Pc
on egress and ingress, as follows:
.Bl -tag -width "Ingress" -offset indent
.It Ingress
Copy TOS bits except for ECN CE
.Po
masked with
.Dv 0xfe
.Pc
from
inner to outer.
set ECN CE bit to
.Dv 0 .
.It Egress
Use inner TOS bits with some change.
If outer ECN CE bit is
.Dv 1 ,
enable ECN CE bit on the inner.
.El
.Pp
Note that the ECN friendly behavior violates RFC1933.
This should be used in mutual agreement with the tunnel endpoint.
.Pp
.Ss Backward compatibility
.Nm
interface will capture packets toward IPv4-in-IPv4 tunnel,
which has been used by
.Xr vif 4
multicast tunnel device
.Pq used in MBone community .
For compatibility, IPv4-in-IPv4 traffic will be matched to
.Nm
interfaces first, and then sent to
.Xr vif 4
if no match is found.
.\"
.Sh SEE ALSO
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr vif 4 ,
.Xr gifconfig 8 ,
RFC1933
.Rs
.%A	Sally Floyd
.%A	David L. Black
.%A	K. K. Ramakrishnan
.%T	"IPsec Interactions with ECN"
.%D	February 1999
.%O	http://www.aciri.org/floyd/papers/draft-ipsec-ecn-00.txt
.Re
.\"
.Sh HISTORY
The
.Nm
device first appeared in WIDE hydrangea IPv6 kit.